Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why aren't Enterprise Security Webhooks and PagerDuty in the dropdown in ES Adaptive Response?

tonymorin
Explorer
‎08-11-2017 10:43 AM

Not sure why I see all my alert option in searching and reporting, but when I look in enterprise security web hooks and pager duty are not in the drop-down. I have checked the action permissions and they are global, and I and 100 admin of the system. not sure if its ES or what... I feel like I should see at least the web hooks option in ES? Thanks in advance.
alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tonymorin
Explorer
‎11-16-2017 08:30 AM

Found the answer for ES at least.
Found the fix. We had to add the pager duty the follow string: to the app imports update
([DST]A-.)|(Splunk_[DST]A_.)|(SplunkEnterpriseSecuritySuite)|(SecKit_[DST]A_.*)|(alert_governance)|(SA-org_custom_content)|(utbox)|(pagerduty_incidents)
Now its an alert option in ES as wel and works FYI.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tonymorin
Explorer
‎11-16-2017 08:30 AM

Found the answer for ES at least.
Found the fix. We had to add the pager duty the follow string: to the app imports update
([DST]A-.)|(Splunk_[DST]A_.)|(SplunkEnterpriseSecuritySuite)|(SecKit_[DST]A_.*)|(alert_governance)|(SA-org_custom_content)|(utbox)|(pagerduty_incidents)
Now its an alert option in ES as wel and works FYI.

0 Karma
Reply
Solved! Jump to solution

zschmerber
Explorer
‎03-09-2020 04:01 PM

Where is the " to the app imports update" is that a .conf or .py file somewhere in Splunk or the TA?

I want to know where to paste the string:

([DST]A-.)|(Splunk_[DST]A_.)|(SplunkEnterpriseSecuritySuite)|(SecKit_[DST]A_.*)|(alert_governance)|(SA-org_custom_content)|(utbox)|(pagerduty_incidents)

Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

zschmerber
Explorer
‎03-10-2020 04:54 PM

Found where to paste the string:
https://docs.splunk.com/Documentation/ES/4.7.1/Install/ImportCustomApps#Import_add-ons_with_a_differ...

0 Karma
Reply
Solved! Jump to solution

fandharper
Engager
‎08-23-2017 12:51 PM

I had the same issue. Here's what I did to do to make it work:

  1. Changed the name of the app to TA-slack_alerts (probably not necessary)
  2. Added empty tags.conf and eventtypes.conf files to TA-slack_alerts/default
  3. Modified slack.html to use an input instead of a text area due to getting an error stating that there was no message specified even though there was. This was in TA-slack_alerts/default/data/ui/alerts

Now it shows up and I'm successfully able to have it send me alerts when my correlation searches fire.

Hope this helps,

-Dan

Reply
Solved! Jump to solution

starcher
Influencer
‎03-07-2018 09:22 AM

The slack app was updated this week to use the naming convention TA- and AR support.

Reply
Solved! Jump to solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎03-07-2018 10:03 AM

Its https://splunkbase.splunk.com/app/3900/

0 Karma
Reply
Solved! Jump to solution

starcher
Influencer
‎08-14-2017 10:17 AM

Just because something is coded as an alert action does not mean the developer made them into ES compatible Adaptive Responses. There is extra setup for that. My expectation is those are not built to be explicitly adaptive responses for ES.

Reply
Solved! Jump to solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎03-07-2018 09:06 AM

@Starcher is correct - the ES import fix will allow it to show up as an alert option in the correlation search builder, but there's underlying functionality that will not work (such as UI updates, etc). There's a canonical example for how to implement an AR action:
http://dev.splunk.com/view/enterprise-security/SP-CAAAFBH

Note that eventtypes and tags are an important part for the drilldown capability to work, and you also need to implement the action as a subclass of a ModularAction, so things like the logging format, and other class methods (addevent and writeevents) are used.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...